search

10110111 / edb-debugger

edb is a cross platform x86/x86-64 debugger.
GNU General Public License v2.0
6 stars 0 forks source link

Try to read LDT for 32-bit debuggee #10

Open 10110111 opened 9 years ago

10110111 commented 9 years ago

For 32 bit debuggees, try to read LDT (by injecting modify_ldt(READLDT=0) syscall) to be able to show segment bases in more cases.

10110111 commented 9 years ago

To get bases (and possibly limits) of the remaining segments, we could try the following:

  1. mprotect all the memory but one page (which will hold code we inject) to make inaccessible
  2. Save eax
  3. For each offset starting from 0, try to do mov eax, [SREG:OFFSET]
  4. Get a segfault with SEGV_MAPERR or SEGV_ACCERR, read si_addr
  5. Compute SREG_base=si_addr-OFFSET

This should be a menu item of a segment register view, since it seems it'll be time consuming, also might play badly with signals which the debuggee might get while doing this search.

Limits can be found using segfault with si_code!=SEGV_MAPERR && si_code!=SEGV_ACCERR.

10110111 commented 9 years ago

Note that we don't have to re-retrieve the LDT on each trap: it's enough to catch syscalls with eax==__NR_modify_ldt and ebx==1||ebx==0x11, which would try to change an LDT entry.